Release Date: 14/02/2021 | Issue: 74
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

This week's articles


Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies
Squatting valid internal package names is a nearly sure-fire method to get into the networks of some of the biggest tech companies out there, gaining remote code execution, and possibly allowing attackers to add backdoors during builds.   #ci/cd   #attack


Building a secure CI/CD pipeline for Terraform Infrastructure as Code
How the OVO team created a model for delivering infrastructure changes with robust security practices, and used to it build a secure Terraform CI/CD solution for AWS.   #aws   #ci/cd   #build


Defending Infrastructure as Code in GitHub Enterprise
Paper examining a common deployment of infrastructure as code via GitHub Enterprise and HashiCorp Terraform, explores an attack scenario, examines attacker tradecraft within the context of the MITRE ATT&CK framework, and makes recommendations for defensive controls and intrusion detection techniques.   #ci/cd   #defend


Initial Reaction to AWS Audit Manager
AWS Audit Manager is not quite there yet. The intent of the service is clear and you can begin to see the foundation of what this service could be. There are a few gaps that AWS Audit Manager will have to continue to improve upon to make this service usable for its customers.   #aws   #explain


Opting out of AWS AI data usage
Why you should opt out of the AI data usage on AWS, how to do that, and how to confirm you did it correctly.   #aws   #build


Learn How To Create Network Policies for Kubernetes
Tutorial that will teach you how to create a network policy using the Cilium Editor. It explains basic network policy concepts and guides you through the steps needed to achieve the desired least-privilege security policy.   #k8s   #build


Getting started with Kubernetes audit logs and Falco
What the Kubernetes audit logs are, what information they provide, and how to integrate them with Falco to detect suspicious activity in your cluster.   #k8s   #monitor


Enforce Custom Resource policies with Open Policy Agent Gatekeeper
How to use Open Policy Agent and its Gatekeeper project to enforce policies when creating custom resources.   #k8s   #defend


Wait Conditions in the Kubernetes Provider for HashiCorp Terraform
HashiCorp recently improved the wait_for configurations on several resources, as well as introduced an entirely new generic waiter. The new and improved configuration options allow you to specify whether Terraform should wait for a specific condition, or not, before continuing to apply your configuration or complete successfully.   #terraform   #build

Tools


iamlive
Generate basic AWS IAM policies using client-side monitoring of calls made from the AWS CLI or SDKs.


iam-role-enumeration
Another way to enumerate AWS IAM users/roles without being authenticated to the victim account.


cloudlist
Cloudlist is a tool for listing Assets (Hostnames, IP Addresses) from multiple Cloud Providers.


kctf
kCTF is a Kubernetes-based infrastructure for CTF competitions.

From the cloud providers


#AWS   New digital curriculum: Managing Amazon S3
AWS announced a free new digital curriculum: Managing Amazon Simple Storage Service, which covers techniques to simplify the management of S3 storage.


#AWS   Use new account assignment APIs for AWS SSO to automate multi-account access
How you can programmatically assign and audit access to multiple AWS accounts for your AWS Single Sign-On (SSO) users and groups, using the AWS Command Line Interface (AWS CLI) and AWS CloudFormation.


#GCP   Don't fear the authentication: Google Drive edition
Just as you can share a Drive folder with a person, you can also share a Drive folder with an IAM service account. Or a Sheet, or a Doc. Whatever it is you want to integrate into your GCP application.


#GCP   6 best practices for effective Cloud NAT monitoring
Best practices for effective Cloud NAT monitoring in GCP: monitor port utilization, monitor the reasons behind Cloud NAT drops, leverage log-based metrics, monitor top endpoints and their drops, baseline a normalized error rate.


#GCP   Centrally Managing Artifact Registry Container Image Vulnerabilities on Google Cloud
How to utilize Pub/Sub and Cloud Functions to store project level container image vulnerabilities in a centralized service or location.


#GCP   Google Cloud samples
Search for samples demonstrating the usage of Google Cloud products, across ML APIs, Storage, serverless, and more. You can filter by language and product.


#AZURE   Azure DDoS Protection - 2020 year in review
The prevalence of Distributed Denial-of-Service (DDoS) attacks in 2020 has grown more than 50 percent with increasing complexity and a significant increase in the volume of DDoS traffic.


#AZURE   Baseline architecture for an Azure Kubernetes Service (AKS) cluster
Recommendations for networking, security, identity, management, and monitoring of AKS clusters based on an organization's business requirements.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐Ÿ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
ยฉ 2019-present CloudSecList ยท Marco Lancini